New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use X.509 credentials specified in rucio.cfg with gfal operations #3957
Comments
Hi @mkszuba yes, you are absolutely right. By default gfal uses the X509_USER_PROXY, or alternatively the X509_USER_CERT & X509_USER_KEY environment variables. My suggestion would be to check if these variables exist, and if not use the values from the rucio.cfg Would that be an ok approach? |
Makes sense to me - that way these variables will not suddenly stop working for people who do use them. Moreover, from what I can see in the code rucio-clients already support X509_USER_PROXY - albeit only for certain protocols (it would probably make sense to perform the relevant environment lookups only once, e.g. while populating self.creds in baseclient). |
Needs to be added here rucio/lib/rucio/rse/protocols/gfal.py Line 189 in a106bb1
|
…cio#3957 It is only used if the gfal context wasn't already configured to use other credentials. This is done to avoid breaking existing configurations.
…cio#3957 It is only used if the gfal context wasn't already configured to use other credentials. This is done to avoid breaking existing configurations.
…cio#3957 It is only used if the gfal context wasn't already configured to use other credentials. This is done to avoid breaking existing configurations.
…_rucio_cfg Protocols: allow usage of rucio.cfg x509 proxy for gfal operations #3957
Motivation
(Note: for simplicity I shall discuss this for the auth_type = x509_proxy scenario, that said the same applies to 'x509')
It would IMHO be very useful if the Rucio client set the X.509 credentials of gfal operations to those Rucio itself uses. As things stand now, 'rucio download' and 'rucio upload' end up looking for the proxy certificate in /tmp/x509up_u${UID} regardless of what the value of client_x509_proxy in rucio.cfg is - and unless gfal2 or its Python bindings feature some magic environment variables for this purpose, there doesn't seem to currently be a way of changing this behaviour. This can lead to somewhat confusing behaviour when interactions with the Rucio server itself work fine but things break as soon as a file transfer is to be executed.
Modification
At a quick glance at the code, it seems this would be a simple matter of extending rucio.rse.protocols.gfal.connect() to set additional option strings on the newly created gfal2 context:
similarly to how it is already done with bearer tokens. I haven't tested this yet, though.
The text was updated successfully, but these errors were encountered: